Web Security Ben Stock

News

18.07.2018

Exam results and inspection

The exam results are now visible in the CMS. You can find the exact points for each of the tasks as well as the grade table there. The inspection will be on Friday, 9-11, most likely (and unless your hear otherwise) in CISPA's room 0.07 (meeting room next to the... Read more

The exam results are now visible in the CMS. You can find the exact points for each of the tasks as well as the grade table there. The inspection will be on Friday, 9-11, most likely (and unless your hear otherwise) in CISPA's room 0.07 (meeting room next to the foyer). 

If you cannot make it due to another exam, please write me an email such that we can arrange a separate slot.

Good night (*yawn*)!

17.07.2018

Seat Key uploaded

The seat assignment for tomorrow's exam is now available at https://cms.cispa.saarland/websec18/dl/41/Seat_map.pdf

The seat map will also be posted on the door and all exams have the matriculation numbers and names of the student on them.

14.07.2018

Hardware issues with screecher installations / gitlab

Hi all,

just in time there now is HDD issue with our VM host, which needs to be fixed by the CISPA admins. I hope this will be fixed on Monday, but to avoid any additional integrity damage, I have taken offline the VMs and gitlab for now. Since you should all... Read more

Hi all,

just in time there now is HDD issue with our VM host, which needs to be fixed by the CISPA admins. I hope this will be fixed on Monday, but to avoid any additional integrity damage, I have taken offline the VMs and gitlab for now. Since you should all have your own git repositories locally, I hope this does not interfere with your exam preparation

11.07.2018

Evaluation results

Sadly, just a couple hours to late, the evaluation results have arrived. They are available at https://cms.cispa.saarland/websec18/dl/39/Evaluation_results.pdf

First of all, thanks for the positive feedback. It seems like many of you enjoyed the course as much as... Read more

Sadly, just a couple hours to late, the evaluation results have arrived. They are available at https://cms.cispa.saarland/websec18/dl/39/Evaluation_results.pdf

First of all, thanks for the positive feedback. It seems like many of you enjoyed the course as much as I did. Thank you also for suggested improvements. I want to address a couple of them here:

  • As for the exercise bugs, these were related to us developing screecher alongside the lecture, which is kind of fixed "by design" for the next iteration.
  • The assignment of teams is a known issue: scaling things up to 60 VMs seems infeasible (also for grading reasons), and reducing the course to 30 people would have left half of you not attending the lecture :) More tutors are not really an option, as we get no funding from the university for advanced lectures.
  • I doubt that there will be a script, but we can add comments about related books.

Thanks again for those items. We will try to incorporate the feedback in the next iteration!

05.07.2018

Grading for #9 / Note on #10 / Q&A lecture

The grading for sheet 9 is online since last night. As in the previous weeks, please approach me if you have questions regarding the grading/feedback.

For sheet 10, please note that you naturally have another key than we do for the CRIME attack. Hence, just... Read more

The grading for sheet 9 is online since last night. As in the previous weeks, please approach me if you have questions regarding the grading/feedback.

For sheet 10, please note that you naturally have another key than we do for the CRIME attack. Hence, just giving you key from the config is pointless. Also, if you run into trouble with the attack, try to make sure that you add more redundancy to your message to best leverage the compression oracle.

Last, but not least, regarding the Q&A lecture: as this requires a bit of preparation, make sure that all your desired topics and votes are in the Askbot before Tuesday, 8am. After that, I will feel free to ignore any additional questions coming in, to make sure that those questions asked early are being addressed properly in the lecture.

14.06.2018

Exercise sheet #7 graded / Note on exercise sheet #8

The grading for exercise #7 is now stored. If you have questions, please direct them to me and not Sebastian.

For sheet 8, please note that your solution must still work with our checkers which use python requests. We have had some issues related to encodings of... Read more

The grading for exercise #7 is now stored. If you have questions, please direct them to me and not Sebastian.

For sheet 8, please note that your solution must still work with our checkers which use python requests. We have had some issues related to encodings of cookies - so please make sure that your fix not only works for Chrome, but that our checker is satisfied :) 

13.06.2018

Note about current exercise sheet

For OwlCash, you must not completely remove storage of the information about the last mined block on the client. You have to fix the issue in some other way :)

11.06.2018

Questions for the exam preparation

To allow for optimal scheduling of time in the Q&A lecture, please use the Askbot to note things you would like to see covered (and upvote those that others asked and you want to have addressed)

08.06.2018

Grading finished for sheet #5 / Feedback for lecture and exercise

I have finished the grading for sheet 5 and the results are in the CMS. If you have questions about your points, please direct them to me and not Sebastian.

Moreover, next week is the evaluation week for all courses. I will distribute the evaluation sheets in the... Read more

I have finished the grading for sheet 5 and the results are in the CMS. If you have questions about your points, please direct them to me and not Sebastian.

Moreover, next week is the evaluation week for all courses. I will distribute the evaluation sheets in the middle of the lecture - this way you get a break and have fun evaluating :-) If possible, please think of things you want to improve in advance, such that you already have those things in mind when you come in.

07.06.2018

Grading for exercise #6 online

The grading for exercise #6 is now stored. Please note that I did not leave individual feedback, since the correct answers are shown in the example solution. If you have questions, please direct them to me and not Sebastian.

07.06.2018

Note on Exercise #7

You must not use stacked queries (i.e., multiple queries separated by a semicolon) for any of the tasks. Moreover, please note that any modification of the existing data is forbidden by the rules of the exercise sheet. 

07.06.2018

Less points for Sheet #6

As discussed in the lecture, I did not do a good job explaining the allow-same-origin necessity for the Twitter iframe. I have therefore decided not to grade 1g) of Exercise sheet #6, so as to not punish anybody who did not get this right. Therefore, the sheet only... Read more

As discussed in the lecture, I did not do a good job explaining the allow-same-origin necessity for the Twitter iframe. I have therefore decided not to grade 1g) of Exercise sheet #6, so as to not punish anybody who did not get this right. Therefore, the sheet only has 28 points now.

18.05.2018

Grading of exercises / Gameserver feedback / no lecture next week

Since not all of you attended the tutorial today, let me fill you in on a couple of things:

  • The gameserver only checks one specific exploit. Just because this does not work anymore does not mean that your fix was correct, only that our one exploit stopped... Read more

Since not all of you attended the tutorial today, let me fill you in on a couple of things:

  • The gameserver only checks one specific exploit. Just because this does not work anymore does not mean that your fix was correct, only that our one exploit stopped working. Please double check your code to see that the flaw is actually gone (e.g., by attacking it with your own exploit).
  • We have deducted points from answers that are not brief. We don't this out of spite, but rather to give you feedback that an answer was too long. We do this now where it does not hurt too much, rather than having you answer only half the questions in the exam in a verbose manner, not allowing you to have time for any other tasks.
  • Starting from sheet #4, you'll get brief feedback on why we deducted points via CMS. If you still feel the need to discuss any specifics with Sebastian, today's slides show his office hours.

Last but not least: there will be no lecture next week. This is why this week's sheet has 60 points and is due on May, 30th.

16.05.2018

Bug in Exercise 5 Task 3 CSP

There is an error present in the CSP Task. We are currently working on a fix which will be pushed in your repositories ASAP.

Sorry for that inconvenience.

15.05.2018

Slight change to exercise task

Please make sure that in your submission, you include a link to the merge request (e.g., https://gitlab.websec.saarland/team25/screecher/merge_requests/2). This allows us for an easier grading (not requiring us to look up the team ID first and so on).

07.05.2018

Exercise submission

Since I saw this with some of the already submitted exercises: please read the instructions carefully! You must provide the hash of the commit you want us to consider for the fixed version as well as the exploits. Also, create a merge request in Gitlab for your... Read more

Since I saw this with some of the already submitted exercises: please read the instructions carefully! You must provide the hash of the commit you want us to consider for the fixed version as well as the exploits. Also, create a merge request in Gitlab for your changes once you are done. 

If the commit hash is missing from the uploaded PDF, we will not consider any code in the Git repository. Please make sure that you understand all instructions on the sheet. If not, please state your questions on Askbot for us to answer (and all others to see).

02.05.2018

Updated exercise sheet and git

Due to a last minute change in our implementation, there was a bug in the exercise. I have uploaded a new version to the git. If you have already started your work, please rebase your development branch to the new master. If you have not, I have just updated your... Read more

Due to a last minute change in our implementation, there was a bug in the exercise. I have uploaded a new version to the git. If you have already started your work, please rebase your development branch to the new master. If you have not, I have just updated your deployed version in the VMs for you.

02.05.2018

Updated lecture slides and questions regarding Git

I have uploaded a new version of the lecture slides, which fixes a couple of typos.

Also, if you have questions about how to use Git or the workflow, please state them in the Askbot. Many things can likely be answered by your fellow students. Since this question... Read more

I have uploaded a new version of the lecture slides, which fixes a couple of typos.

Also, if you have questions about how to use Git or the workflow, please state them in the Askbot. Many things can likely be answered by your fellow students. Since this question already came up: you cannot push changes to the master branch. This is so that when submitting your solution, you can create a merge request, which we can use for grading. Please branch before changing anything (if you have questions about this, ask them in the Askbot or on Friday).

02.05.2018

Tutorial on Friday

Hey,

The Doodle has spoken! Thus the Tutorial will take place on Friday 10-12 at the CISPA Lecture Hall.

I will explain topics regarding the current project, answer questions, and if there are solutions I will present them to you.

See you Friday,

Sebastian

25.04.2018

Tutorial Doodle

To find a date that suits most of the students, please fill out the following doodle:
https://doodle.com/poll/h5a9kut2w5pt5mg5

22.04.2018

Exercise Sheet 2 Task 5 changes

There is a small error in Exercise Sheet 2 Task 5 JSONP.

Please ignore the "in 1-2 sentences" part of this Task.

Sorry for that inconvenience.

19.04.2018

Gitlab for Exercises

For the exercises, we will use Git, specifically Gitlab to a) deploy new tasks to your VMs and b) have you submit your solutions (fixes and attacks) as pull requests. Please go ahead and register yourself in https://gitlab.websec.saarland. For now, you will not be... Read more

For the exercises, we will use Git, specifically Gitlab to a) deploy new tasks to your VMs and b) have you submit your solutions (fixes and attacks) as pull requests. Please go ahead and register yourself in https://gitlab.websec.saarland. For now, you will not be able to access any groups or create projects. Please use the email address you use for CMS and provide your real name when registering.

18.04.2018

No recording / Team assignment

As I feared, the snafus in the media controls also resulted in the lecture not being recorded. We'll try again in two weeks.

More importantly: please find your team partners until April, 25th and mail your team info to Sebastian. Whoever does not name their team... Read more

As I feared, the snafus in the media controls also resulted in the lecture not being recorded. We'll try again in two weeks.

More importantly: please find your team partners until April, 25th and mail your team info to Sebastian. Whoever does not name their team or at least indicate that they want to participate but have not found a team mate yet will not be able to take part in the practical exercises (i.e., will not reach the required points for admission to the exam).

11.04.2018

Bug in exercise 1

Hi all,

there was a minor issue with the exercise: there was a task on it which we did not cover in the lecture. This is due to a slight change in topic for the first lecture. Please find the updated version of the sheet online now (there is just one less task... Read more

Hi all,

there was a minor issue with the exercise: there was a task on it which we did not cover in the lecture. This is due to a slight change in topic for the first lecture. Please find the updated version of the sheet online now (there is just one less task :)).

Best Regards

 Ben Stock

Show all
 

The course is full, unless you are already registered, you will have to wait until next year.

Web Security

The lecture will take place every Wednesday from 10-12, starting April 11th.

More information on the lecture will be become available later on.

Exams 

  • Main exam: 18.7.2018, 10-12 (Room TBA)
  • Backup exam: 11.10.2018 10-12 (Room TBA)

Exercises 

After each lecture, you will be assigned exercises. These will typically consist of both theoretical questions and practical problems.

To be admitted to the exam, the following two criteria need to be fulfilled:

  • On average, you reach 50% of all available points for all exercise sheets.
  • On each exercise sheet, you reach at least 25% of the points. You may only skip up to 2 sheets altogether (or get less than 25% of the points on them).

Naturally, if a student is sick and therefore unable to submit their sheet, the sheet will not be considered. This only holds true if:

  • The student is reported sick by a doctor's note on the day of the submission
  • The doctor's note is submitted before or right after the submission deadline. At the very least, inform the tutor about the fact that you are sick.


Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators